Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Arguments
Applicant’s arguments filed 04/03/2026 have been fully considered. After further consideration, the prior rejection is withdrawn and a new ground(s) of rejection is presented.
Provisional Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1, 2, 4, 6 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 ,2, 3, 5 of US Serial No. 18007249 in view of Lee in view of Ilyas. Claims 1, 2 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 ,3 of US Serial No. 18005924 in view of Lee in view of Ilyas. Claims 1,2 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1,3 of US Serial No. 18040536 in view of Lee in view of Ilyas. Claims 1,2, 6 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1,3, 7 of US Serial No. 18044691 in view of Lee in view of Ilyas. Claims 1, 2, 6 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1,2, 7 of US Serial No. 18260820 in view of Lee in view of Ilyas. Claims 1, 2, 6 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1,2, 6 of US Serial No. 18841215 in view of Lee in view of Ilyas. Claims 1, 6 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 3 of US Serial No. 18879022 in view of Lee in view of Ilyas.
Although the conflicting claims are not identical, the co-pending applications’ claims are within the scope of the instant application’s claims.
Moreover, the doctrine of double patenting seeks to prevent the unjustified extension of patent exclusivity beyond the term of a patent.
DETAILED ACTION
Claim Rejections – 35 USC § 102/103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre – AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre – AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
MPEP 2112 Section III.
Where applicant claims a composition in terms of a function, property or characteristic and the composition of the prior art is the same as that of the claim but the function is not explicitly disclosed by the reference, the examiner may make a rejection under both 35 U.S.C. 102 and 103, expressed as a 102/ 103 rejection. "There is nothing inconsistent in concurrent rejections for obviousness under 35 U.S.C. 103 and for anticipation under 35 U.S.C. 102." In re Best, 562 F.2d 1252, 1255 n.4, 195 USPQ 430, 433 n.4 (CCPA 1977). This same rationale should also apply to product, apparatus, and process claims claimed in terms of function, property or characteristic. Therefore, a 35 U.S.C. 102/ 103 rejection is appropriate for these types of claims as well as for composition claims.
Claims 1 – 2 are rejected under 35 U.S.C. 102/103 as being unpatentable over Lee (US 2019/0095629 A1).
Per claim 1, Lee (US 2019/0095629 A1) is relied upon to teach an input interface configured to receive input from at least one user (reads on "an attacker 110 may submit one or more sets of input data 120 to a trained neural network model 130," see Lee para [0049]. Lee discloses a cognitive system that receives input data sets from a user (the attacker 110) via the API interface of the service provider, directly mapping to the claimed input interface receiving input from at least one user);
at least one processor configured to: process the received input with an Al module and generate first output data (reads on "processing, by the trained cognitive model logic, the input data by applying a trained cognitive model to the input data to generate an output vector," see Lee para [0006]) corresponding to the received input, the Al module configured to process the received input by executing a first model (reads on "trained neural network model 130," see Lee para [0049]. Lee’s trained neural network model 130 / trained cognitive model logic is an AI module that executes a first trained model on received input data to generate an output vector (labeled data set 140));
detect an attack vector for a model stealing attack (reads on "mechanisms for protecting cognitive systems from model stealing attacks," see Lee para [0001]) on the Al module based on the received input using a submodule (reads on the perturbation insertion engine 160 operating on the received input vector and modifying the output, see Lee para [0056]. Lee's perturbation insertion engine 160 operates specifically in response to the recognized threat of a model-stealing attacker 110 submitting query inputs, thereby functioning as a submodule that detects the attack vector (the attackers querying pattern) based on the received input);
calculate an information gain based on the received input (reads on "the attacker's gradients from a correct direction and amount," see Lee para [0022]. Lee teaches that the perturbation mechanism responds to the information content (gradient/probability information) that the attacker 110 extracts from each query; this is the functional equivalent of an information gain calculation gating the system's response - the more informative the attacker's queries (higher gradient information gain), the more the perturbation system engages. Under BRI, "calculate an information gain based on the received input" encompasses any computation that measures or proxies the information value of received queries relative to the protected model's parameters. "The perturbations that are introduced deviate the attacker's gradients from a correct direction and amount" (see Lee para [0022]) reads on this limitation because gradient deviation in response to received inputs directly corresponds to the information gain the attacker would extract);
block the at least one user depending on the information gain, by modifying the first output data generated by the Al module (reads on "modifying, by a perturbation insertion engine of the cognitive system, one or more values of the output vector to thereby generate a modified output vector," see Lee para [0006]. Lee's perturbation insertion engine 160 modifies the output vector 135 generated by the trained neural network model 130 (AI module) in direct response to the recognized model-stealing attack, which is the functional equivalent of blocking the attacker by modifying the AI module's first output data. Para [0063] explicitly confirms the perturbation modifications maintain output classification while altering the underlying data values (probability vector), precisely matching the claimed mechanism); and
transmit a notification to an owner of the Al system in response to detecting the attack vector (reads on the cognitive system's operational alerting functionality for protecting the service provider's model, see Lee para [0034], para [0070]. Lee is directed at protecting the service provider (owner) from model-stealing attacks, and the perturbation insertion engine 160 operates to protect the owner's model — the system's response to the attack serves as an implicit notification event to the owner's protection subsystem. Under BRI, "transmit a notification to an owner" encompasses any output signaling mechanism directed at the system operator/owner in response to attack detection); and[AltContent: ][AltContent: ]
an output interface configured to send the modified first output data an output to the at least one user in response to the attack vector being detected (reads on "modified or manipulated labeled data set 170 that is provided to the attacker 110 rather than the actual labeled data set 140," see Lee para [0058]. Lee expressly teaches that the modified vector output 165 / manipulated labeled data set 170 is sent to the attacker 110 (the user) rather than the unmodified output, in direct response to the model-stealing attack being recognized — this is a verbatim map to the claim's "send the modified first output data to the user in response to the attack vector being detected”).
Per claim 2, the prior art of record further suggests wherein where the output sent by the output interface is configured to send comprises the first output data when the submodule doesn't identify the attack vector from the received input (reads on "labeled data set 140 that is output as result data to the attacker 110" (the unmodified output path)/ see Lee para [0049]. Lee teaches that normal operation produces labeled data set 140 output to the user; the perturbation path (modified labeled data set 170) is triggered only when the attack is recognized; when no attack is present, the regular output path of para [0049] applies. The Examiner asserts this maps to the dependent claim's "sends the first output data when the submodule doesn’t identify the attack vector").
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 3 – 8 are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Ilyas (arXiv:1905.02175, 2019)
Per claim 3, the prior art of record suggests the system of claim 1. The prior art of record is silent on explicitly stating wherein the submodule is configured to distinguish between a genuine input and the attack vector by identifying one or more non-robust features in the input.
Ilyas (arXiv:1905.02175, 2019) is relied upon to teach wherein the submodule is configured to distinguish between a genuine input and the attack vector by identifying one or more non-robust features in the input (reads on "adversarial examples can be directly attributed to the presence of non-robust features," see Ilyas Abstract, p. 1. Ilyas teaches that the defining characteristic distinguishing adversarial/attack inputs from genuine inputs is the presence of non-robust features. The Examiner asserts Ilyas directly maps to the claim's requirement that the submodule distinguish genuine input from an attack vector by identifying non-robust features. The claim's "attack vector" for a model-stealing attack is an adversarial input in Ilyas's framework; the distinguishing criterion in both is the presence of non-robust features).
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the output-perturbation-based model-stealing defense of Lee which teaches a perturbation insertion engine 160 that modifies a neural network's output vector and returns the modified output to a querying attacker to defeat model extraction attacks by integrating the non-robust-feature construction and identification methodology of Ilyas (see Ilyas Section 3.2) to realize the instant limitations directed to training a detection submodule by defining a secondary task on the primary-task dataset and recording its output to identify non-robust features. One or more of the underpinning rationale(s), as discussed in KSR MPEP 2141 {A, C}, support this conclusion, because combining familiar elements according to known methods yields predictable results: "a combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results". Accordingly, it would have been obvious to one of ordinary skill in the art to have incorporated Ilyas’s non-robust-feature dataset construction methodology, specifically, executing a secondary adversarial-perturbation objective on the primary-task training dataset and recording the resulting non-robust feature outputs, into the detection submodule of Lee's model-stealing defense system, yielding a combined system that trains its detection/perturbation submodule using non-robust features identified from the same primary-task dataset, as recited in the instant claims, by applying the non-robust feature construction technique of Ilyas to the perturbation insertion engine 160 of Lee. As Ilyas itself states: "adversarial examples can be directly attributed to the presence of non-robust features: features (derived from patterns in the data distribution) that are highly predictive, yet brittle" (see Ilyas, Abstract), which addresses the well-recognized problem in the art of identifying what makes machine learning models susceptible to input-manipulation attacks. One of ordinary skill in the art in ML-model security would have recognized that Lee's perturbation insertion engine lacks an explicit mechanism for identifying which features of input data signal a model stealing attack (the non-robust feature detection problem) and that Ilyas's proven technique of constructing a non-robust dataset from the primary training dataset through a secondary adversarial objective was a known, predictable solution to exactly that gap, requiring no change to the underlying output-perturbation-and-return mechanism of Lee. The combination is further supported by MPEP 2141 Rationale A (combining prior art elements using known methods to yield predictable results — Lee's perturbation defense + Ilyas's non-robust detection are both established ML-model-security techniques in the same field) and Rationale C (applying a known technique from one field to a ready-fit problem in another — Ilyas’s non-robust-feature construction is a known adversarial-example technique in the ML robustness field that is directly applicable to the model-stealing detection problem of Lee). The motivation to combine these references is further buttressed by both references being cited in the applicant's own specification Background section as acknowledged prior art, confirming that one of ordinary skill in the art would have been aware of and motivated to combine them.
Claim 4 is analyzed with respect to claim 3. The prior art of record further suggests AI system comprising at least an AI module trained to perform a primary task (reads on "trained cognitive model logic" processing input data "by applying a trained cognitive model," see Lee para [0006]) and a dataset used to train the AI module (reads on the training dataset underlying the trained neural network model 130, see Lee para [0018]. Lee expressly discloses a trained neural network model 130 trained on a dataset for a primary classification task), said method comprising: defining at least one secondary task that can be performed on the dataset, the at least one secondary task being different than the primary task (reads on the adversarial-perturbation construction task of Section 3.2 — "add a small adversarial perturbation to x in order to ensure it is classified as t," see Ilyas Section 3.2, p.6. Ilyas defines a secondary task on the primary-task dataset: the adversarial perturbation objective (classifying inputs as target class t through perturbation) is a distinct optimization objective (secondary task) that differs from the primary classification task performed by the AI module. This is performed on the same dataset D used for primary training. The amended claim's "secondary task being different than the primary task" is fully mapped: the primary task is standard classification (predicting correct class y)); executing the submodule with the dataset (reads on Ilyas's execution of the non-robust-feature construction algorithm on the primary training dataset D: "we modify each input-label pair (x, y) as follows…The resulting input-label pairs (xadv, t) make up the new training set," see Ilyas Section 3.2 p.6. Ilyas executes the secondary task (adversarial perturbation construction) on the original dataset D — exactly "executing the submodule with the dataset." The submodule here is the perturbation-construction procedure operating on the primary training dataset); and recording an output of the secondary task to identify a non-robust feature (reads on "The resulting input-label pairs (xadv, t) make up the new training set … [indicating] that non-robust features are indeed useful for classification," see Ilyas Section 3.2, p.6-7). Ilyas's secondary task (adversarial perturbation construction) produces as its output the non-robust dataset (xadv, t) — this output is recorded as a new training set and is directly used to identify which features are non-robust, mapping precisely to recording an output of the secondary task to identify a non-robust feature." The Abstract's statement that adversarial examples "can be directly attributed to the presence of non-robust features" confirms that the output of the adversarial-perturbation secondary task is the identification of non-robust features).
Per claim 5, the prior art of record further suggests training the submodule to detect an attack vector for a model stealing attack on the AI module using one or more non-robust features in the dataset (reads on Ilyas’s training a classifier using the non-robust dataset to discriminate attack-relevant features: "This indicates that non-robust features are indeed useful for classification," see Ilyas Section 3.2, p. 7, in combination with Lee’s para [0001] model stealing attack context. Ilyas teaches that a model (submodule) trained on the non-robust dataset learns to use non-robust features for classification — i.e., it is trained to detect/use non-robust features. In combination with Lee's model-stealing attack context, one of ordinary skill in the art would use Ilyas's non-robust-feature training methodology to train the detection submodule of Lee to detect model-stealing attack vectors by their non-robust feature signatures).
Claim 6 is analyzed with respect to claim 4. The prior art of record further suggests receiving input data from at least one user through an input interface (reads on "attacker 110 may submit one or more sets of input data 120 to a trained neural network model 130" see Lee para [0049]. Lee discloses receipt of input data sets from a user (attacker 110) — the API endpoint constitutes the input interface); transmitting input data through a blocker module to an AI module (reads on "perturbation insertion engine 160 provided in association with, or as part of, the trained neural network model 130," see Lee para [0056]. Lee’s perturbation insertion engine 160, associated with model 130, functions as the blocking/protection intermediary through which inputs pass before the model output is processed — this is the functional equivalent of a blocker module that transmits data through itself to the AI module. The pipeline architecture of para [0070] confirms input passes through the protection mechanism as part of the request-processing pipeline); computing first output data using the AI module based on the input data (reads on "processing, by the trained cognitive model logic, the input data by applying a trained cognitive model to the input data to generate an output vector," see Lee para [0006]. Lee's trained neural network model 130 computes the output vector from the received input data); and detecting an attack vector for a model stealing attack on the AI module based on the received input by processing the input data using a submodule (reads on the perturbation insertion engine 160 detecting and responding to model-stealing attack inputs, see Lee para [0001], para [0022]); sending the identification information of the attack vector to an information gain module (reads on the information passing between the detection component and the perturbation/blocking decision component, see Lee para [0022], para [0056]. Lee’s perturbation insertion engine 160 operates by receiving information about the current model outputs (the information basis for perturbation magnitude) and using that to generate the perturbation; this internal information flow is the functional equivalent of sending attack identification information to the information-gain computation component. Under BRI, the "information gain module" is any component that receives attack-related information to compute an information gain value; Lee's perturbation computation mechanism operates on exactly this information); and blocking the at least one user depending on the information gain, by modifying the first output data generated by the AI module and outputting the modified first output data (reads on "modifying, by a perturbation insertion engine ... one or more values of the output vector ... to thereby generate a modified output vector" + "modified or manipulated labeled data set 170 that is provided to the attacker 110” see Lee para [0006], [0058]. Lee expressly teaches both the modification of the output data and the outputting of that modified data to the attacker user).
Claim 7 is analyzed with respect to claim 4.
Per claim 8, the prior art of record further suggests identifying one or more non-robust features in the input data (reads on "adversarial examples can be directly attributed to the presence of non-robust features," see Ilyas Abstract, p. 1. Ilyas expressly teaches that attack inputs (adversarial examples) are identified by the presence of non-robust features which is the definitional relationship between attack vectors and non-robust features).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571)270-5191. The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRIAN F SHAW/
Primary Examiner, Art Unit 2432